Monday, 19 December 2011

Crm Hidden Security Privileges

The Background
I recently had a client who couldn’t create BU even when she was give all rights on the “Business Unit” entity.


The Symptoms
When the user created a BU under the root BU, she will get a big error in face says “You do not have enough privileges to access the Microsoft Dynamics CRM object or perform the requested operation.”. In the Crm server trace log, I found the following error message:

Error: Exception has been thrown by the target of an invocation.
Error Number: 0x80048306
Error Message: SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: e4b0437d-0c33-e011-aed8-00155d00cb35, OwningUser: 00000000-0000-0000-0000-000000000000 and CallingUser: 62eeaabf-2e49-e011-8b16-00155d00cb35
Error Details: SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: e4b0437d-0c33-e011-aed8-00155d00cb35, OwningUser: 00000000-0000-0000-0000-000000000000 and CallingUser: 62eeaabf-2e49-e011-8b16-00155d00cb35

Investigation:
As the tracing log has no mention about the privilegeid, I decided to have a play with the security role just in case creating BU requires privilege of other entities. However after I added full privileges to every entity for that user, she still could not create a BU. While I was scratching my head, my colleague has mentioned hidden privileges to me.

The Solution:
The cause of the issue was the lack of crm hidden privileges. To enable a security role to allow its user to create BU, you need to give it some special security roles which is not available on the UI. The easiest way you can assign those privileges to a role is to copy from another role which already has those special privileges. So what I done was that I copied the system admin role to a new role called “BU Creator”, Then I removed every privilege I could from that role. So that the “BU creator” role essentially became a role which only contained special privileges. Then I added the role to the crm user I was using and it worked!

If you want to dig deeper into the crm hidden securities, here is a great blog post to read http://blogs.msdn.com/b/crm/archive/2009/08/04/viewing-all-crm-privileges-including-hidden-privileges.aspx.

Additional Reference:
http://support.microsoft.com/kb/957976/en-us

No comments:

Post a Comment